diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch | 2 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch | 2 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3/CVE-2018-20852.patch | 124 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3/CVE-2019-9636.patch | 154 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3_3.7.3.bb (renamed from meta/recipes-devtools/python/python3_3.7.2.bb) | 8 |
5 files changed, 5 insertions, 285 deletions
diff --git a/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch b/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch index 8083345a4e..1741f5753b 100644 --- a/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch +++ b/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 4865615a2bc2b78c739e4c33f536712c7f9af061 Mon Sep 17 00:00:00 2001 | 1 | From 17796e353acf08acd604610f34840a4a9d2f4b54 Mon Sep 17 00:00:00 2001 |
2 | From: Alexander Kanavin <alex.kanavin@gmail.com> | 2 | From: Alexander Kanavin <alex.kanavin@gmail.com> |
3 | Date: Thu, 31 Jan 2019 16:46:30 +0100 | 3 | Date: Thu, 31 Jan 2019 16:46:30 +0100 |
4 | Subject: [PATCH] distutils/sysconfig: append | 4 | Subject: [PATCH] distutils/sysconfig: append |
diff --git a/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch b/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch index dcc0932c7f..35213171bd 100644 --- a/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch +++ b/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 1397979ee445ff6826aa5469511e003539f77bb2 Mon Sep 17 00:00:00 2001 | 1 | From 12900d498bb77bcc990868a80eaf0ab257b88fff Mon Sep 17 00:00:00 2001 |
2 | From: Khem Raj <raj.khem@gmail.com> | 2 | From: Khem Raj <raj.khem@gmail.com> |
3 | Date: Tue, 14 May 2013 15:00:26 -0700 | 3 | Date: Tue, 14 May 2013 15:00:26 -0700 |
4 | Subject: [PATCH] python3: Add target and native recipes | 4 | Subject: [PATCH] python3: Add target and native recipes |
diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch deleted file mode 100644 index ff671d3fab..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch +++ /dev/null | |||
@@ -1,124 +0,0 @@ | |||
1 | From e5123d81ffb3be35a1b2767d6ced1a097aaf77be Mon Sep 17 00:00:00 2001 | ||
2 | From: "Miss Islington (bot)" | ||
3 | <31488909+miss-islington@users.noreply.github.com> | ||
4 | Date: Sat, 9 Mar 2019 18:58:25 -0800 | ||
5 | Subject: [PATCH] bpo-35121: prefix dot in domain for proper subdomain | ||
6 | validation (GH-10258) (GH-12261) | ||
7 | |||
8 | Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan. | ||
9 | (cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14) | ||
10 | |||
11 | Co-authored-by: Xtreak <tir.karthi@gmail.com> | ||
12 | Upstream-Status: Backport | ||
13 | CVE: CVE-2018-20852 | ||
14 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
15 | --- | ||
16 | Lib/http/cookiejar.py | 13 ++++++-- | ||
17 | Lib/test/test_http_cookiejar.py | 30 +++++++++++++++++++ | ||
18 | .../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | 4 +++ | ||
19 | 3 files changed, 45 insertions(+), 2 deletions(-) | ||
20 | create mode 100644 Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | ||
21 | |||
22 | diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py | ||
23 | index e0f1032b2816..00cb1250a07e 100644 | ||
24 | --- a/Lib/http/cookiejar.py | ||
25 | +++ b/Lib/http/cookiejar.py | ||
26 | @@ -1145,6 +1145,11 @@ def return_ok_domain(self, cookie, request): | ||
27 | req_host, erhn = eff_request_host(request) | ||
28 | domain = cookie.domain | ||
29 | |||
30 | + if domain and not domain.startswith("."): | ||
31 | + dotdomain = "." + domain | ||
32 | + else: | ||
33 | + dotdomain = domain | ||
34 | + | ||
35 | # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't | ||
36 | if (cookie.version == 0 and | ||
37 | (self.strict_ns_domain & self.DomainStrictNonDomain) and | ||
38 | @@ -1157,7 +1162,7 @@ def return_ok_domain(self, cookie, request): | ||
39 | _debug(" effective request-host name %s does not domain-match " | ||
40 | "RFC 2965 cookie domain %s", erhn, domain) | ||
41 | return False | ||
42 | - if cookie.version == 0 and not ("."+erhn).endswith(domain): | ||
43 | + if cookie.version == 0 and not ("."+erhn).endswith(dotdomain): | ||
44 | _debug(" request-host %s does not match Netscape cookie domain " | ||
45 | "%s", req_host, domain) | ||
46 | return False | ||
47 | @@ -1171,7 +1176,11 @@ def domain_return_ok(self, domain, request): | ||
48 | req_host = "."+req_host | ||
49 | if not erhn.startswith("."): | ||
50 | erhn = "."+erhn | ||
51 | - if not (req_host.endswith(domain) or erhn.endswith(domain)): | ||
52 | + if domain and not domain.startswith("."): | ||
53 | + dotdomain = "." + domain | ||
54 | + else: | ||
55 | + dotdomain = domain | ||
56 | + if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)): | ||
57 | #_debug(" request domain %s does not match cookie domain %s", | ||
58 | # req_host, domain) | ||
59 | return False | ||
60 | diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py | ||
61 | index abc625d672a7..6e1b30881310 100644 | ||
62 | --- a/Lib/test/test_http_cookiejar.py | ||
63 | +++ b/Lib/test/test_http_cookiejar.py | ||
64 | @@ -415,6 +415,7 @@ def test_domain_return_ok(self): | ||
65 | ("http://foo.bar.com/", ".foo.bar.com", True), | ||
66 | ("http://foo.bar.com/", "foo.bar.com", True), | ||
67 | ("http://foo.bar.com/", ".bar.com", True), | ||
68 | + ("http://foo.bar.com/", "bar.com", True), | ||
69 | ("http://foo.bar.com/", "com", True), | ||
70 | ("http://foo.com/", "rhubarb.foo.com", False), | ||
71 | ("http://foo.com/", ".foo.com", True), | ||
72 | @@ -425,6 +426,8 @@ def test_domain_return_ok(self): | ||
73 | ("http://foo/", "foo", True), | ||
74 | ("http://foo/", "foo.local", True), | ||
75 | ("http://foo/", ".local", True), | ||
76 | + ("http://barfoo.com", ".foo.com", False), | ||
77 | + ("http://barfoo.com", "foo.com", False), | ||
78 | ]: | ||
79 | request = urllib.request.Request(url) | ||
80 | r = pol.domain_return_ok(domain, request) | ||
81 | @@ -959,6 +962,33 @@ def test_domain_block(self): | ||
82 | c.add_cookie_header(req) | ||
83 | self.assertFalse(req.has_header("Cookie")) | ||
84 | |||
85 | + c.clear() | ||
86 | + | ||
87 | + pol.set_blocked_domains([]) | ||
88 | + req = urllib.request.Request("http://acme.com/") | ||
89 | + res = FakeResponse(headers, "http://acme.com/") | ||
90 | + cookies = c.make_cookies(res, req) | ||
91 | + c.extract_cookies(res, req) | ||
92 | + self.assertEqual(len(c), 1) | ||
93 | + | ||
94 | + req = urllib.request.Request("http://acme.com/") | ||
95 | + c.add_cookie_header(req) | ||
96 | + self.assertTrue(req.has_header("Cookie")) | ||
97 | + | ||
98 | + req = urllib.request.Request("http://badacme.com/") | ||
99 | + c.add_cookie_header(req) | ||
100 | + self.assertFalse(pol.return_ok(cookies[0], req)) | ||
101 | + self.assertFalse(req.has_header("Cookie")) | ||
102 | + | ||
103 | + p = pol.set_blocked_domains(["acme.com"]) | ||
104 | + req = urllib.request.Request("http://acme.com/") | ||
105 | + c.add_cookie_header(req) | ||
106 | + self.assertFalse(req.has_header("Cookie")) | ||
107 | + | ||
108 | + req = urllib.request.Request("http://badacme.com/") | ||
109 | + c.add_cookie_header(req) | ||
110 | + self.assertFalse(req.has_header("Cookie")) | ||
111 | + | ||
112 | def test_secure(self): | ||
113 | for ns in True, False: | ||
114 | for whitespace in " ", "": | ||
115 | diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | ||
116 | new file mode 100644 | ||
117 | index 000000000000..d2eb8f1f352c | ||
118 | --- /dev/null | ||
119 | +++ b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | ||
120 | @@ -0,0 +1,4 @@ | ||
121 | +Don't send cookies of domain A without Domain attribute to domain B | ||
122 | +when domain A is a suffix match of domain B while using a cookiejar | ||
123 | +with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by | ||
124 | +Karthikeyan Singaravelan. | ||
diff --git a/meta/recipes-devtools/python/python3/CVE-2019-9636.patch b/meta/recipes-devtools/python/python3/CVE-2019-9636.patch deleted file mode 100644 index 72128f0b0d..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2019-9636.patch +++ /dev/null | |||
@@ -1,154 +0,0 @@ | |||
1 | From daad2c482c91de32d8305abbccc76a5de8b3a8be Mon Sep 17 00:00:00 2001 | ||
2 | From: Steve Dower <steve.dower@microsoft.com> | ||
3 | Date: Thu, 7 Mar 2019 09:08:18 -0800 | ||
4 | Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize | ||
5 | to separators (GH-12201) | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | CVE: CVE-2019-9636 | ||
9 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
10 | |||
11 | --- | ||
12 | Doc/library/urllib.parse.rst | 18 +++++++++++++++ | ||
13 | Lib/test/test_urlparse.py | 23 +++++++++++++++++++ | ||
14 | Lib/urllib/parse.py | 17 ++++++++++++++ | ||
15 | .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | 3 +++ | ||
16 | 4 files changed, 61 insertions(+) | ||
17 | create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | ||
18 | |||
19 | diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst | ||
20 | index 0c8f0f607314..b565e1edd321 100644 | ||
21 | --- a/Doc/library/urllib.parse.rst | ||
22 | +++ b/Doc/library/urllib.parse.rst | ||
23 | @@ -124,6 +124,11 @@ or on combining URL components into a URL string. | ||
24 | Unmatched square brackets in the :attr:`netloc` attribute will raise a | ||
25 | :exc:`ValueError`. | ||
26 | |||
27 | + Characters in the :attr:`netloc` attribute that decompose under NFKC | ||
28 | + normalization (as used by the IDNA encoding) into any of ``/``, ``?``, | ||
29 | + ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is | ||
30 | + decomposed before parsing, no error will be raised. | ||
31 | + | ||
32 | .. versionchanged:: 3.2 | ||
33 | Added IPv6 URL parsing capabilities. | ||
34 | |||
35 | @@ -136,6 +141,10 @@ or on combining URL components into a URL string. | ||
36 | Out-of-range port numbers now raise :exc:`ValueError`, instead of | ||
37 | returning :const:`None`. | ||
38 | |||
39 | + .. versionchanged:: 3.7.3 | ||
40 | + Characters that affect netloc parsing under NFKC normalization will | ||
41 | + now raise :exc:`ValueError`. | ||
42 | + | ||
43 | |||
44 | .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None) | ||
45 | |||
46 | @@ -257,10 +266,19 @@ or on combining URL components into a URL string. | ||
47 | Unmatched square brackets in the :attr:`netloc` attribute will raise a | ||
48 | :exc:`ValueError`. | ||
49 | |||
50 | + Characters in the :attr:`netloc` attribute that decompose under NFKC | ||
51 | + normalization (as used by the IDNA encoding) into any of ``/``, ``?``, | ||
52 | + ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is | ||
53 | + decomposed before parsing, no error will be raised. | ||
54 | + | ||
55 | .. versionchanged:: 3.6 | ||
56 | Out-of-range port numbers now raise :exc:`ValueError`, instead of | ||
57 | returning :const:`None`. | ||
58 | |||
59 | + .. versionchanged:: 3.7.3 | ||
60 | + Characters that affect netloc parsing under NFKC normalization will | ||
61 | + now raise :exc:`ValueError`. | ||
62 | + | ||
63 | |||
64 | .. function:: urlunsplit(parts) | ||
65 | |||
66 | diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py | ||
67 | index be50b47603aa..e6638aee2244 100644 | ||
68 | --- a/Lib/test/test_urlparse.py | ||
69 | +++ b/Lib/test/test_urlparse.py | ||
70 | @@ -1,3 +1,5 @@ | ||
71 | +import sys | ||
72 | +import unicodedata | ||
73 | import unittest | ||
74 | import urllib.parse | ||
75 | |||
76 | @@ -984,6 +986,27 @@ def test_all(self): | ||
77 | expected.append(name) | ||
78 | self.assertCountEqual(urllib.parse.__all__, expected) | ||
79 | |||
80 | + def test_urlsplit_normalization(self): | ||
81 | + # Certain characters should never occur in the netloc, | ||
82 | + # including under normalization. | ||
83 | + # Ensure that ALL of them are detected and cause an error | ||
84 | + illegal_chars = '/:#?@' | ||
85 | + hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars} | ||
86 | + denorm_chars = [ | ||
87 | + c for c in map(chr, range(128, sys.maxunicode)) | ||
88 | + if (hex_chars & set(unicodedata.decomposition(c).split())) | ||
89 | + and c not in illegal_chars | ||
90 | + ] | ||
91 | + # Sanity check that we found at least one such character | ||
92 | + self.assertIn('\u2100', denorm_chars) | ||
93 | + self.assertIn('\uFF03', denorm_chars) | ||
94 | + | ||
95 | + for scheme in ["http", "https", "ftp"]: | ||
96 | + for c in denorm_chars: | ||
97 | + url = "{}://netloc{}false.netloc/path".format(scheme, c) | ||
98 | + with self.subTest(url=url, char='{:04X}'.format(ord(c))): | ||
99 | + with self.assertRaises(ValueError): | ||
100 | + urllib.parse.urlsplit(url) | ||
101 | |||
102 | class Utility_Tests(unittest.TestCase): | ||
103 | """Testcase to test the various utility functions in the urllib.""" | ||
104 | diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py | ||
105 | index f691ab74f87f..39c5d6a80824 100644 | ||
106 | --- a/Lib/urllib/parse.py | ||
107 | +++ b/Lib/urllib/parse.py | ||
108 | @@ -391,6 +391,21 @@ def _splitnetloc(url, start=0): | ||
109 | delim = min(delim, wdelim) # use earliest delim position | ||
110 | return url[start:delim], url[delim:] # return (domain, rest) | ||
111 | |||
112 | +def _checknetloc(netloc): | ||
113 | + if not netloc or netloc.isascii(): | ||
114 | + return | ||
115 | + # looking for characters like \u2100 that expand to 'a/c' | ||
116 | + # IDNA uses NFKC equivalence, so normalize for this check | ||
117 | + import unicodedata | ||
118 | + netloc2 = unicodedata.normalize('NFKC', netloc) | ||
119 | + if netloc == netloc2: | ||
120 | + return | ||
121 | + _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay | ||
122 | + for c in '/?#@:': | ||
123 | + if c in netloc2: | ||
124 | + raise ValueError("netloc '" + netloc2 + "' contains invalid " + | ||
125 | + "characters under NFKC normalization") | ||
126 | + | ||
127 | def urlsplit(url, scheme='', allow_fragments=True): | ||
128 | """Parse a URL into 5 components: | ||
129 | <scheme>://<netloc>/<path>?<query>#<fragment> | ||
130 | @@ -419,6 +434,7 @@ def urlsplit(url, scheme='', allow_fragments=True): | ||
131 | url, fragment = url.split('#', 1) | ||
132 | if '?' in url: | ||
133 | url, query = url.split('?', 1) | ||
134 | + _checknetloc(netloc) | ||
135 | v = SplitResult('http', netloc, url, query, fragment) | ||
136 | _parse_cache[key] = v | ||
137 | return _coerce_result(v) | ||
138 | @@ -442,6 +458,7 @@ def urlsplit(url, scheme='', allow_fragments=True): | ||
139 | url, fragment = url.split('#', 1) | ||
140 | if '?' in url: | ||
141 | url, query = url.split('?', 1) | ||
142 | + _checknetloc(netloc) | ||
143 | v = SplitResult(scheme, netloc, url, query, fragment) | ||
144 | _parse_cache[key] = v | ||
145 | return _coerce_result(v) | ||
146 | diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | ||
147 | new file mode 100644 | ||
148 | index 000000000000..5546394157f9 | ||
149 | --- /dev/null | ||
150 | +++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | ||
151 | @@ -0,0 +1,3 @@ | ||
152 | +Changes urlsplit() to raise ValueError when the URL contains characters that | ||
153 | +decompose under IDNA encoding (NFKC-normalization) into characters that | ||
154 | +affect how the URL is parsed. | ||
diff --git a/meta/recipes-devtools/python/python3_3.7.2.bb b/meta/recipes-devtools/python/python3_3.7.3.bb index 6da806bb93..1f1441f4ac 100644 --- a/meta/recipes-devtools/python/python3_3.7.2.bb +++ b/meta/recipes-devtools/python/python3_3.7.3.bb | |||
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org" | |||
3 | LICENSE = "PSFv2" | 3 | LICENSE = "PSFv2" |
4 | SECTION = "devel/python" | 4 | SECTION = "devel/python" |
5 | 5 | ||
6 | LIC_FILES_CHKSUM = "file://LICENSE;md5=f257cc14f81685691652a3d3e1b5d754" | 6 | LIC_FILES_CHKSUM = "file://LICENSE;md5=e466242989bd33c1bd2b6a526a742498" |
7 | 7 | ||
8 | SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ | 8 | SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ |
9 | file://run-ptest \ | 9 | file://run-ptest \ |
@@ -22,8 +22,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ | |||
22 | file://0002-Don-t-do-runtime-test-to-get-float-byte-order.patch \ | 22 | file://0002-Don-t-do-runtime-test-to-get-float-byte-order.patch \ |
23 | file://0003-setup.py-pass-missing-libraries-to-Extension-for-mul.patch \ | 23 | file://0003-setup.py-pass-missing-libraries-to-Extension-for-mul.patch \ |
24 | file://0001-Lib-sysconfig.py-fix-another-place-where-lib-is-hard.patch \ | 24 | file://0001-Lib-sysconfig.py-fix-another-place-where-lib-is-hard.patch \ |
25 | file://CVE-2018-20852.patch \ | ||
26 | file://CVE-2019-9636.patch \ | ||
27 | file://CVE-2019-9740.patch \ | 25 | file://CVE-2019-9740.patch \ |
28 | " | 26 | " |
29 | 27 | ||
@@ -35,8 +33,8 @@ SRC_URI_append_class-nativesdk = " \ | |||
35 | file://0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch \ | 33 | file://0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch \ |
36 | " | 34 | " |
37 | 35 | ||
38 | SRC_URI[md5sum] = "df6ec36011808205beda239c72f947cb" | 36 | SRC_URI[md5sum] = "93df27aec0cd18d6d42173e601ffbbfd" |
39 | SRC_URI[sha256sum] = "d83fe8ce51b1bb48bbcf0550fd265b9a75cdfdfa93f916f9e700aef8444bf1bb" | 37 | SRC_URI[sha256sum] = "da60b54064d4cfcd9c26576f6df2690e62085123826cff2e667e72a91952d318" |
40 | 38 | ||
41 | # exclude pre-releases for both python 2.x and 3.x | 39 | # exclude pre-releases for both python 2.x and 3.x |
42 | UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" | 40 | UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" |